secure_headers 3.0.3 → 3.1.0

data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb

@@ -4,7 +4,7 @@ module SecureHeaders
   describe StrictTransportSecurity do
     describe "#value" do
       specify { expect(StrictTransportSecurity.make_header).to eq([StrictTransportSecurity::HEADER_NAME, StrictTransportSecurity::DEFAULT_VALUE]) }
-      specify { expect(StrictTransportSecurity.make_header("max-age=1234")).to eq([StrictTransportSecurity::HEADER_NAME, "max-age=1234"]) }
+      specify { expect(StrictTransportSecurity.make_header("max-age=1234; includeSubdomains; preload")).to eq([StrictTransportSecurity::HEADER_NAME, "max-age=1234; includeSubdomains; preload"]) }
 
       context "with an invalid configuration" do
         context "with a string argument" do

data/spec/lib/secure_headers/middleware_spec.rb

@@ -2,11 +2,11 @@ require "spec_helper"
 
 module SecureHeaders
   describe Middleware do
-    let(:app) { ->(env) { [200, env, "app"] } }
+    let(:app) { lambda { |env| [200, env, "app"] } }
+    let(:cookie_app) { lambda { |env| [200, env.merge("Set-Cookie" => "foo=bar"), "app"] } }
 
-    let :middleware do
-      Middleware.new(app)
-    end
+    let(:middleware) { Middleware.new(app) }
+    let(:cookie_middleware) { Middleware.new(cookie_app) }
 
     before(:each) do
       reset_config
@@ -33,8 +33,27 @@ module SecureHeaders
       end
       request = Rack::Request.new({})
       SecureHeaders.use_secure_headers_override(request, "my_custom_config")
+      expect(request.env[SECURE_HEADERS_CONFIG]).to be(Configuration.get("my_custom_config"))
       _, env = middleware.call request.env
       expect(env[CSP::HEADER_NAME]).to match("example.org")
     end
+
+    context "cookies should be flagged" do
+      it "flags cookies as secure" do
+        Configuration.default { |config| config.secure_cookies = true }
+        request = Rack::MockRequest.new(cookie_middleware)
+        response = request.get '/'
+        expect(response.headers['Set-Cookie']).to match(Middleware::SECURE_COOKIE_REGEXP)
+      end
+    end
+
+    context "cookies should not be flagged" do
+      it "does not flags cookies as secure" do
+        Configuration.default { |config| config.secure_cookies = false }
+        request = Rack::MockRequest.new(cookie_middleware)
+        response = request.get '/'
+        expect(response.headers['Set-Cookie']).not_to match(Middleware::SECURE_COOKIE_REGEXP)
+      end
+    end
   end
 end

data/spec/lib/secure_headers_spec.rb

@@ -2,48 +2,39 @@ require 'spec_helper'
 
 module SecureHeaders
   describe SecureHeaders do
-    example_hpkp_config = {
-      max_age: 1_000_000,
-      include_subdomains: true,
-      report_uri: '//example.com/uri-directive',
-      pins: [
-        { sha256: 'abc' },
-        { sha256: '123' }
-      ]
-    }
-
-    example_hpkp_config_value = %(max-age=1000000; pin-sha256="abc"; pin-sha256="123"; report-uri="//example.com/uri-directive"; includeSubDomains)
-
     before(:each) do
       reset_config
-      @request = Rack::Request.new("HTTP_X_FORWARDED_SSL" => "on")
     end
 
+    let(:request) { Rack::Request.new("HTTP_X_FORWARDED_SSL" => "on") }
+
     it "raises a NotYetConfiguredError if default has not been set" do
       expect do
-        SecureHeaders.header_hash_for(@request)
+        SecureHeaders.header_hash_for(request)
       end.to raise_error(Configuration::NotYetConfiguredError)
     end
 
     it "raises a NotYetConfiguredError if trying to opt-out of unconfigured headers" do
       expect do
-        SecureHeaders.opt_out_of_header(@request, CSP::CONFIG_KEY)
+        SecureHeaders.opt_out_of_header(request, CSP::CONFIG_KEY)
       end.to raise_error(Configuration::NotYetConfiguredError)
     end
 
     describe "#header_hash_for" do
       it "allows you to opt out of individual headers" do
         Configuration.default
-        SecureHeaders.opt_out_of_header(@request, CSP::CONFIG_KEY)
-        hash = SecureHeaders.header_hash_for(@request)
+        SecureHeaders.opt_out_of_header(request, CSP::CONFIG_KEY)
+        SecureHeaders.opt_out_of_header(request, XContentTypeOptions::CONFIG_KEY)
+        hash = SecureHeaders.header_hash_for(request)
         expect(hash['Content-Security-Policy-Report-Only']).to be_nil
         expect(hash['Content-Security-Policy']).to be_nil
+        expect(hash['X-Content-Type-Options']).to be_nil
       end
 
       it "allows you to opt out entirely" do
         Configuration.default
-        SecureHeaders.opt_out_of_all_protection(@request)
-        hash = SecureHeaders.header_hash_for(@request)
+        SecureHeaders.opt_out_of_all_protection(request)
+        hash = SecureHeaders.header_hash_for(request)
         ALL_HEADER_CLASSES.each do |klass|
           expect(hash[klass::CONFIG_KEY]).to be_nil
         end
@@ -51,8 +42,8 @@ module SecureHeaders
 
       it "allows you to override X-Frame-Options settings" do
         Configuration.default
-        SecureHeaders.override_x_frame_options(@request, XFrameOptions::DENY)
-        hash = SecureHeaders.header_hash_for(@request)
+        SecureHeaders.override_x_frame_options(request, XFrameOptions::DENY)
+        hash = SecureHeaders.header_hash_for(request)
         expect(hash[XFrameOptions::HEADER_NAME]).to eq(XFrameOptions::DENY)
       end
 
@@ -62,17 +53,36 @@ module SecureHeaders
           config.csp = OPT_OUT
         end
 
-        SecureHeaders.override_x_frame_options(@request, XFrameOptions::SAMEORIGIN)
-        SecureHeaders.override_content_security_policy_directives(@request, default_src: %w(https:), script_src: %w('self'))
+        SecureHeaders.override_x_frame_options(request, XFrameOptions::SAMEORIGIN)
+        SecureHeaders.override_content_security_policy_directives(request, default_src: %w(https:), script_src: %w('self'))
 
-        hash = SecureHeaders.header_hash_for(@request)
+        hash = SecureHeaders.header_hash_for(request)
         expect(hash[CSP::HEADER_NAME]).to eq("default-src https:; script-src 'self'")
         expect(hash[XFrameOptions::HEADER_NAME]).to eq(XFrameOptions::SAMEORIGIN)
       end
 
+      it "produces a UA-specific CSP when overriding (and busting the cache)" do
+        config = Configuration.default do |config|
+          config.csp = {
+            default_src: %w('self'),
+            child_src: %w('self'), #unsupported by firefox
+            frame_src: %w('self')
+          }
+        end
+        firefox_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:firefox]))
+
+        # append an unsupported directive
+        SecureHeaders.override_content_security_policy_directives(firefox_request, plugin_types: %w(flash))
+        # append a supported directive
+        SecureHeaders.override_content_security_policy_directives(firefox_request, script_src: %w('self'))
+
+        hash = SecureHeaders.header_hash_for(firefox_request)
+        expect(hash[CSP::HEADER_NAME]).to eq("default-src 'self'; frame-src 'self'; script-src 'self'")
+      end
+
       it "produces a hash of headers with default config" do
         Configuration.default
-        hash = SecureHeaders.header_hash_for(@request)
+        hash = SecureHeaders.header_hash_for(request)
         expect_default_values(hash)
       end
 
@@ -87,7 +97,15 @@ module SecureHeaders
       it "does not set the HPKP header if request is over HTTP" do
         plaintext_request = Rack::Request.new({})
         Configuration.default do |config|
-          config.hpkp = example_hpkp_config
+          config.hpkp = {
+            max_age: 1_000_000,
+            include_subdomains: true,
+            report_uri: '//example.com/uri-directive',
+            pins: [
+              { sha256: 'abc' },
+              { sha256: '123' }
+            ]
+          }
         end
 
         expect(SecureHeaders.header_hash_for(plaintext_request)[PublicKeyPins::HEADER_NAME]).to be_nil
@@ -102,26 +120,67 @@ module SecureHeaders
             }
           end
 
-          SecureHeaders.append_content_security_policy_directives(@request, script_src: %w(anothercdn.com))
-          hash = SecureHeaders.header_hash_for(@request)
+          SecureHeaders.append_content_security_policy_directives(request, script_src: %w(anothercdn.com))
+          hash = SecureHeaders.header_hash_for(request)
           expect(hash[CSP::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline' anothercdn.com")
         end
 
+        it "dups global configuration just once when overriding n times and only calls idempotent_additions? once" do
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w('self')
+            }
+          end
+
+          expect(CSP).to receive(:idempotent_additions?).once
+
+          # before an override occurs, the env is empty
+          expect(request.env[SECURE_HEADERS_CONFIG]).to be_nil
+
+          SecureHeaders.append_content_security_policy_directives(request, script_src: %w(anothercdn.com))
+          new_config = SecureHeaders.config_for(request)
+          expect(new_config).to_not be(Configuration.get)
+
+          SecureHeaders.override_content_security_policy_directives(request, script_src: %w(yet.anothercdn.com))
+          current_config = SecureHeaders.config_for(request)
+          expect(current_config).to be(new_config)
+
+          SecureHeaders.header_hash_for(request)
+        end
+
+        it "doesn't allow you to muck with csp configs when a dynamic policy is in use" do
+          default_config = Configuration.default
+          expect { default_config.csp = {} }.to raise_error(NoMethodError)
+
+          # config is frozen
+          expect { default_config.send(:csp=, {}) }.to raise_error(RuntimeError)
+
+          SecureHeaders.append_content_security_policy_directives(request, script_src: %w(anothercdn.com))
+          new_config = SecureHeaders.config_for(request)
+          expect { new_config.send(:csp=, {}) }.to raise_error(Configuration::IllegalPolicyModificationError)
+
+          expect do
+            new_config.instance_eval do
+              new_config.csp = {}
+            end
+          end.to raise_error(Configuration::IllegalPolicyModificationError)
+        end
+
         it "overrides individual directives" do
           Configuration.default do |config|
             config.csp = {
               default_src: %w('self')
             }
           end
-          SecureHeaders.override_content_security_policy_directives(@request, default_src: %w('none'))
-          hash = SecureHeaders.header_hash_for(@request)
+          SecureHeaders.override_content_security_policy_directives(request, default_src: %w('none'))
+          hash = SecureHeaders.header_hash_for(request)
           expect(hash[CSP::HEADER_NAME]).to eq("default-src 'none'")
         end
 
         it "overrides non-existant directives" do
           Configuration.default
-          SecureHeaders.override_content_security_policy_directives(@request, img_src: [ContentSecurityPolicy::DATA_PROTOCOL])
-          hash = SecureHeaders.header_hash_for(@request)
+          SecureHeaders.override_content_security_policy_directives(request, img_src: [ContentSecurityPolicy::DATA_PROTOCOL])
+          hash = SecureHeaders.header_hash_for(request)
           expect(hash[CSP::HEADER_NAME]).to eq("default-src https:; img-src data:")
         end
 
@@ -134,9 +193,9 @@ module SecureHeaders
             }
           end
 
-          request = Rack::Request.new(@request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari5]))
-          nonce = SecureHeaders.content_security_policy_script_nonce(request)
-          hash = SecureHeaders.header_hash_for(request)
+          safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari5]))
+          nonce = SecureHeaders.content_security_policy_script_nonce(safari_request)
+          hash = SecureHeaders.header_hash_for(safari_request)
           expect(hash[CSP::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline'; style-src 'self'")
         end
 
@@ -149,15 +208,15 @@ module SecureHeaders
             }
           end
 
-          request = Rack::Request.new(@request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:chrome]))
-          nonce = SecureHeaders.content_security_policy_script_nonce(request)
+          chrome_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:chrome]))
+          nonce = SecureHeaders.content_security_policy_script_nonce(chrome_request)
 
           # simulate the nonce being used multiple times in a request:
-          SecureHeaders.content_security_policy_script_nonce(request)
-          SecureHeaders.content_security_policy_script_nonce(request)
-          SecureHeaders.content_security_policy_script_nonce(request)
+          SecureHeaders.content_security_policy_script_nonce(chrome_request)
+          SecureHeaders.content_security_policy_script_nonce(chrome_request)
+          SecureHeaders.content_security_policy_script_nonce(chrome_request)
 
-          hash = SecureHeaders.header_hash_for(request)
+          hash = SecureHeaders.header_hash_for(chrome_request)
           expect(hash['Content-Security-Policy']).to eq("default-src 'self'; script-src mycdn.com 'nonce-#{nonce}'; style-src 'self'")
         end
       end

data/spec/spec_helper.rb

@@ -3,9 +3,12 @@ require 'rspec'
 require 'rack'
 require 'pry-nav'
 
+require 'coveralls'
+Coveralls.wear!
+
 require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
 
-ENV["RAILS_ENV"] = "test"
+
 
 USER_AGENTS = {
   firefox: 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1',

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 3.0.3
+  version: 3.1.0
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-29 00:00:00.000000000 Z
+date: 2016-03-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -59,6 +59,7 @@ files:
 - lib/secure_headers.rb
 - lib/secure_headers/configuration.rb
 - lib/secure_headers/headers/content_security_policy.rb
+- lib/secure_headers/headers/policy_management.rb
 - lib/secure_headers/headers/public_key_pins.rb
 - lib/secure_headers/headers/strict_transport_security.rb
 - lib/secure_headers/headers/x_content_type_options.rb
@@ -67,12 +68,12 @@ files:
 - lib/secure_headers/headers/x_permitted_cross_domain_policies.rb
 - lib/secure_headers/headers/x_xss_protection.rb
 - lib/secure_headers/middleware.rb
-- lib/secure_headers/padrino.rb
 - lib/secure_headers/railtie.rb
 - lib/secure_headers/view_helper.rb
 - secure_headers.gemspec
 - spec/lib/secure_headers/configuration_spec.rb
 - spec/lib/secure_headers/headers/content_security_policy_spec.rb
+- spec/lib/secure_headers/headers/policy_management_spec.rb
 - spec/lib/secure_headers/headers/public_key_pins_spec.rb
 - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
 - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
@@ -83,7 +84,6 @@ files:
 - spec/lib/secure_headers/middleware_spec.rb
 - spec/lib/secure_headers_spec.rb
 - spec/spec_helper.rb
-- travis.sh
 - upgrading-to-3-0.md
 homepage: https://github.com/twitter/secureheaders
 licenses:
@@ -113,6 +113,7 @@ summary: Add easily configured security headers to responses including content-s
 test_files:
 - spec/lib/secure_headers/configuration_spec.rb
 - spec/lib/secure_headers/headers/content_security_policy_spec.rb
+- spec/lib/secure_headers/headers/policy_management_spec.rb
 - spec/lib/secure_headers/headers/public_key_pins_spec.rb
 - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
 - spec/lib/secure_headers/headers/x_content_type_options_spec.rb

data/lib/secure_headers/padrino.rb

@@ -1,13 +0,0 @@
-module SecureHeaders
-  module Padrino
-    class << self
-      ##
-      # Main class that register this extension.
-      #
-      def registered(app)
-        app.helpers SecureHeaders::InstanceMethods
-      end
-      alias_method :included, :registered
-    end
-  end
-end

data/travis.sh

@@ -1,10 +0,0 @@
-#! /bin/sh
-
-bundle install >> /dev/null &&
-bundle exec rspec --format progress spec &&
-cd fixtures/rails_3_2_12 &&
-bundle install >> /dev/null &&
-bundle exec rspec --format progress spec &&
-cd ../../fixtures/rails_3_2_12_no_init &&
-bundle install >> /dev/null &&
-bundle exec rspec spec